Our web history reveals what we think and do. Shouldn’t that remain private?

Author

Lecturer in Information Technology, Intellectual Property and Media Law, University of East Anglia

Disclosure statement

Paul Bernal received funding from the Arts and Humanities Research Council for his PhD, which was part of the research that underlies this work. He is a member of the Labour Party, on the Advisory Council of the Open Rights Group and part of the National Police Chiefs' Council's Independent Digital Ethics Panel.

An overlooked aspect of the draft Investigatory Powers Bill is the significance of demanding that service providers store 12 months’ internet connection records. A record of every website visited and internet service connected to, the government presents this as the online equivalent of an itemised phone bill. But this is a false analogy: internet connection records carry far more detail than a phone book, and the government’s move to claim them represents an unprecedented intrusion into our lives.

Supporters of the bill suggest that this data provides a way of checking that someone accessed Facebook at a particular time, just as phone records can reveal that a user called a particular number at a certain time. But while this is true, it misunderstands the role the internet has in our lives, and consequently underplays how much it can reveal.

The phone is a communications tool, but we have complex online lives and use the internet for many things other than “communication”. We do almost everything online: we bank online, we shop, find relationships, listen to music, watch television and films, plan our holidays, read about and indulge our interests.

Access to the websites we visit, for an entire year, is not at all comparable to having an itemised telephone bill. It’s more equivalent to tailing someone as they visit the shops, the pub, the cinema, listen to the radio, go to the park and on holiday, read books and magazines and newspapers, and much more.

It’s not just the data that’s revealing, it’s the sort of direct, logical inferences that can be made given a web browsing history. For example, from the fact that someone visits sites connected with a particular religion, one can infer that they follow that religion. If they visit sites regarding a particular health condition, it’s possible to infer that they may suffer from that condition, or are worried about their health.

There are less direct associations that can be made. Men who spend a lot of time watching old episodes of Top Gear, for example, might have sympathy for Jeremy Clarkson’s views on political correctness, or have sceptical views towards climate change. Those with a record of visiting pizza delivery websites might be assumed to have unhealthy lifestyles. The possibilities are huge, including not just the sites visited, but the time and pattern of those visits. Online a lot during the middle of the night? That in itself can reveal a lot about your schedule and how you live your life.

This kind of analysis is identical to that being developed by some of the biggest, most powerful and most technologically advanced corporations in the world. What Google, Facebook and others develop in order to identify target audiences for advertising or markets for products does just as good a job identifying people with particular political views.

The implications of the ability to draw these inferences should not be underestimated. If they’re accurate, they represent major intrusions into people’s privacy and personal lives, sometimes allowing analysts to predict a individual’s behaviour even more accurately than friends and close acquaintances can. Inaccurate inferences could also lead to damning profiling of innocent people, with terrible, life-destroying consequences.

What they can see gives away as much as what they can’t.Twitter

The danger of data

Beyond the dangers of what this data reveals about us, just asking ISPs to collect and store this information is an enormous risk in itself. In just the last few weeks, the TalkTalk hack should make the vulnerability of firms and their data crystal clear. By storing so much personal and potentially revealing or damaging information on their users, ISPs would become the target for criminals harvesting data for identity theft, scamming, blackmail (Ashley Madison style) and more.

Even if we assume that the intelligence services and police – and local councils and the taxman which will also have the right to claim that data – are above incompetence or malpractice, the fact that this information could fall into the hands of the criminal underworld should give the government pause for thought. Nor should we disregard the potential for individuals to misuse the data at their disposal – there have been many past cases of information being misused for personal reasons.

None of this is to say that internet connection records should not be collected. But the internet has brought about the potential for intrusion into people’s lives in a way that has never before been possible, so now, more than ever, we need a mature debate about privacy and surveillance – before it’s too late.